During a markup session on Oct. 29, the House Homeland Security Committee amended the Homeland Security Cybersecurity Boots-on-the-Ground Act to encourage DHS to boost the pool of IT security job candidates by creating a tuition-for-work fellowship as well as a program to identify military veterans and unemployed computer specialists for potential IT security employment.

Several committee members voiced concerns about the use of contractors performing cybersecurity chores at DHS. One of the bill's provisions would require DHS to provide contractors with initial and continued training on how to protect sensitive and classified information that's related to their assignments.

"This provision is responsive to the known vulnerabilities associated with the overreliance on contractors as underscored by the Edward Snowden case," says the bill's sponsor, Rep. Yvette Clarke, D-N.Y. Snowden is a former contractor for the National Security Agency who leaked hundreds of top secret documents revealing NSA electronic spying programs (see Who's to Blame at NSA for Snowden Leak?).

Occupation Classifications

The legislation also would require DHS to develop occupation classifications for individuals performing activities to advance the department's cybersecurity mission. DHS would be required to ensure that the classifications be made available to other federal agencies (see Bill Aims to Enhance DHS Cybersecurity Readiness).

In addition, HR 3107 would require DHS to develop a workforce strategy to enhance the readiness, capacity, training, recruitment and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs.

Other provisions in the bill would direct DHS's chief human capital officer and chief information officer to assess the readiness and capacity of the department to meet its mission to protect government and private-sector IT. It also would require the DHS secretary to provide Congress with updates on the development and implementation of cybersecurity strategies, assessments and training.

Rep. William Keating, D-Mass., says the legislation is needed because of a dearth of qualified IT security personnel at the department. He cited a Government Accountability Office report, which showed that 22 percent of the jobs in DHS's National Protection and Programs Directorate, the unit that houses cybersecurity personnel, were vacant in June (see DHS's Huge Cybersecurity Skills Shortage).

Attracting Very Best, Brightest

The Homeland Security Committee adopted an amendment to direct the DHS secretary to evaluate the creation of a cybersecurity fellowship program in which the federal government would subsidize tuition of undergraduate and graduate students in exchange for a commitment to work several years as a department cybersecurity specialist.

"This [would create] an opportunity for DHS to compete with the private sector in attracting the very, very best and the very, very brightest students who graduate with degrees in information assurance, computing security, which also gives us the opportunity to vet accurately, through a process of recruiting, very talented individuals," says Rep. Sheila Jackson Lee, D-Texas, the amendment's sponsor.

The panel adopted another amendment to encourage DHS to add veterans and unemployed computer technologists to the mix of its IT security staff recruits. Rep. Eric Swalwell, the California Democrat who sponsored that amendment, says DHS concentrates its cybersecurity recruitment and training on students, recent graduates and existing department employees, which is reflected in its programs, such as emerging leaders in cybersecurity, cybersecurity internships and job rotations among employees.

Swalwell says such programs don't help veterans who developed skills in the military that could be transformed into those needed by cybersecurity specialists or middle-age college graduates with extensive computer experience that find themselves unemployed. "DHS needs a plan to seek out these individuals, bring them into the department, and help train them for a job in cybersecurity," says Swalwell, whose district is just north of Silicon Valley.

Assuring Qualified Recruits

Rep. Jason Chaffetz, R-Utah, expressed a concern over the wording of the amendment, saying that it could result in the hiring of less qualified IT security personnel.

"To put an onus on the department to try to hire, for instance, the unemployed as opposed to somebody who may be currently employed, may sound good in some circles," Chaffetz says. "But I want to make sure it's crystal clear that we're trying to hire the very best people that deal with the safety and security of the people of this nation, and that should be our first and foremost goal here moving forward."

Swalwell assured Chaffetz that his amendment would not interfere with the hiring of the most qualified IT security specialists. "The intent is to broaden who we are looking at, not eliminating [individuals] who were looked at for the cybersecurity workforce," he says.

About the Author

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;